# DNS Enumeration and zone transfer

## Check basic tools availability

### Host

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.

```bash
$ whatis host
```

### Dig

dig is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers tha are returned from the name server(s) that were queried.

```bash
$ whatis dig
```

### Simple DNS lookup

```bash
$ host example.com
```

### Query name services

```bash
$ host -t ns example.com
```

### A records

```bash
$ host -t a example.com
```

### MX records

```bash
$ host -t mx example.com
```

## General information gathering

```bash
$ dig example.com
```

### Specify type

```bash
$ dig -t ns example.com
```

### Perform zone transfer query

```bash
$ dig axfr example.com @dns.server.server
```

## General information, zone transfer and bruteforce

```bash
$ dnsenum example.com
```

```bash
$ fierce -dns example.com
```

## Effective bruteforcing with SecLists, nmap, fierce and dnsmap

```bash
$ nmap -p 53 --script dns-brute --script-args=[script-options] example.com
```

```bash
$ fierce -dns example.com -wordlist wordlist.txt
```

```bash
$ dnsmap example.com -w wordlist.txt
```
